Re: SSL weakness affecting links from pa

["Phillip M. Hallam-Baker" <hallam@ai.mit.edu>]

As the person who invented (and mispelt) the referer link I don't
agree
with the arguments made against it. The purpose of the referer link is
to allow servers to collate pages of backlinks. This would make the
Web browsable in both directions.

I could never understand why Netscape supported the facility in the 
browser without also supporting the capture functionality in the
server. Its a simple matter to add support but they seem uninterested.

Of course there should be a toggle to allow users to turn off the 
referer field. I tried to get a recomendation to do this put into the
spec. People then started shouting at me saying that it was impossible
to enforce and so the recomendation shouldn't be there. Quite
what the relevance of 'encforcement' is I don't know.


Then they started jamming stupid ideas like cookies into the spec,
ideas that showed all of five minutes thought.


 
>Which was my original point. I'd even be willing to *pay* for a cert,
but
>not more than about $15. I just find it odd that I can get SSL server
>software for cheaper than I can get a license to operate said
software.
>Hey Verisign, why don't you offer a Class 1 server certificate?

The manner in which SSL is designed means that it requires a degree
of trust in the certificate. Allowing the browser to automatically
accept
a class 1 cert would be somewhat foolhardy. Because someone put
that damn key on the bottom of the browser some people expect there
to be security. Instead they get encryption which ain'tquite the same 
thing.

There is nothing to stop you using a non standard cert with SSL
however.
I use Apache with a cert I wrote myself.

    Phill

smime.p7s